Bug 1126117 - (CVE-2019-8907) VUL-0: CVE-2019-8907: file: do_core_note in readelf.c in libmagic.a allows to cause a denial of service
(CVE-2019-8907)
VUL-0: CVE-2019-8907: file: do_core_note in readelf.c in libmagic.a allows to...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/224989/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-20 15:06 UTC by Robert Frohl
Modified: 2020-01-28 07:40 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (10.25 KB, application/x-core)
2019-02-22 10:22 UTC, Robert Frohl
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-20 15:06:08 UTC
rh#1679138

do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to
cause a denial of service (stack corruption and application crash) or possibly
have unspecified other impact.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1679138
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8907
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8907.html
https://bugs.astron.com/view.php?id=65
Comment 1 Robert Frohl 2019-02-20 15:11:26 UTC
Upstream info is a bit confusing, the issue should fixed by the CVE-2019-8905 changes (bsc#1126118) according to the upstream bugtracker.
Comment 2 Robert Frohl 2019-02-20 15:14:39 UTC
I believe only SUSE:SLE-15:Update is affected.
Comment 3 Robert Frohl 2019-02-20 15:17:40 UTC
the libmagic library embedded in php is not affected, because the version is to old
Comment 4 Dr. Werner Fink 2019-02-21 08:58:52 UTC
SR#185053 for SLE-15 and SLE-15-PS1
Comment 5 Swamp Workflow Management 2019-02-21 09:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1126117) was mentioned in
https://build.opensuse.org/request/show/677928 Factory / file
Comment 7 Dr. Werner Fink 2019-02-21 10:11:38 UTC
SR#185059 for SLE-12 for all SP
Comment 8 Dr. Werner Fink 2019-02-21 10:30:53 UTC
SlE-11 and up seem not to be affected ... a test case would be helpful
Comment 10 Robert Frohl 2019-02-22 10:22:55 UTC
Created attachment 797590 [details]
QA Reproducer

$ valgrind file stack_corruption1

[..]
**543** *** memcpy_chk: buffer overflow detected ***: program terminated
==543==    at 0x483A75C: ??? (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==543==    by 0x483FA3A: __memcpy_chk (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==543==    by 0x4859C43: memcpy (string_fortified.h:34)
==543==    by 0x4859C43: do_core_note (readelf.c:755)
==543==    by 0x485AC89: donote (readelf.c:1196)
==543==    by 0x485BAA9: dophn_core.part.5 (readelf.c:398)
==543==    by 0x485D6E5: dophn_core (readelf.c:355)
==543==    by 0x485D6E5: file_tryelf (elfclass.h:43)
==543==    by 0x485F7D7: file_buffer (funcs.c:305)
==543==    by 0x484DB5F: file_or_fd (magic.c:508)
==543==    by 0x10B456: process (file.c:554)
==543==    by 0x10A850: main (file.c:424)
[..]

sorry, I forgot the reproducers. Was planning to look into the issues more, but currently don't find the time.
Comment 11 Dr. Werner Fink 2019-02-22 10:48:37 UTC
abuild@noether:/usr/src/packages/BUILD/file-4.24> valgrind   ./src/.libs/file /tmp/stack_corruption1 
==24378== Memcheck, a memory error detector.
==24378== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==24378== Using LibVEX rev 1854, a library for dynamic binary translation.
==24378== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==24378== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==24378== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==24378== For more details, rerun with: -v
==24378== 
/tmp/stack_corruption1: ELF 32-bit LSB core file Intel 80386, version 1, NetBSD-style, from '[\020\012' (signal 45834)
==24378== 
==24378== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 1)
==24378== malloc/free: in use at exit: 0 bytes in 0 blocks.
==24378== malloc/free: 70 allocs, 70 frees, 205,620 bytes allocated.
==24378== For counts of detected errors, rerun with: -v
==24378== All heap blocks were freed -- no leaks are possible.
Comment 12 Dr. Werner Fink 2019-02-22 10:49:44 UTC
Does look like SLE-11 file-4.24 is safe here
Comment 13 Dr. Werner Fink 2019-02-22 11:00:14 UTC
seems to be fixed with submit request for SLE-12 and SLE-15
Comment 14 Swamp Workflow Management 2019-03-07 23:10:09 UTC
SUSE-SU-2019:0571-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    python-magic-5.32-7.5.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    file-5.32-7.5.1, python-magic-5.32-7.5.1
Comment 15 Swamp Workflow Management 2019-04-02 16:20:11 UTC
SUSE-SU-2019:0839-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP3 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    file-5.22-10.12.2
SUSE CaaS Platform ALL (src):    file-5.22-10.12.2
SUSE CaaS Platform 3.0 (src):    file-5.22-10.12.2
OpenStack Cloud Magnum Orchestration 7 (src):    file-5.22-10.12.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2020-01-28 07:40:30 UTC
done